b"                          UNCLASSIFIED\n\n        United States Department of State\n     and the Broadcasting Board of Governors\n              Office of Inspector General\n\n\n\n\n        Information Technology\n         Memorandum Report\n\n\nReview of the Information\n Security Program at the\n  Broadcasting Board of\n       Governors\n\nReport Number I T-A-04-0 7 , September 2004\n\n\n\n\n                              IMPORTANT NOTICE\n\n This report is intended solely for the official use of the Department of State or the\n Broadcasting Board of Governors, or any agency or organization receiving a copy\n directly from the Office of Inspector GeneraL No secondary distribution may be\n made, in whole or in part, outside the Department of State or the Broadcasting\n Board of Governors, by them or by other agencies or organizations, without prior\n authorization by the Inspector General. Public availability of the document will\n be determined by the Inspector General under the U.S. Code, 5 U.S.C. 552.\n Improper disclosure ofthis report may result in criminal, civil, or administrative\n penalties.\n\n\n\n                           UNCLASSIFIED\n\x0c                                                      Introduction\n        In response to the Federal Information Security Management Act of 2002 (FISMA),1 the Office\nof Inspector General (OIG) performed an independent review and evaluation of the information\nsecurity program of the Broadcasting Board of Governors (BBG). FISMA provides a comprehensive\nframework for establishing and ensuring the effectiveness of controls over information technology (IT)\nresources that support federal operations and assets and a mechanism for improved oversight of federal\nagency information security programs. In addition, Office of Management and Budget (OMB)\nimplementation guidance for FISMA requires OIGs to assess development, implementation, and\nmanagement of the agency-wide plan of action and milestones (POA&M) process and to focus on\nperformance measures. The specific objectives of OIG\xe2\x80\x99s review were to assess BBG\xe2\x80\x99s progress in\ndeveloping its information security program and practices as they relate to FISMA and determine\nBBG\xe2\x80\x99s processes for implementing the requirements of the law.\n\n       To fulfill the review objectives, OIG met with BBG officials from the International\nBroadcasting Bureau (IBB), Radio Sawa, Office of Cuba Broadcasting (OCB), and two overseas\ntransmitting stations in the Philippines. OIG did not conduct a detailed review of BBG\xe2\x80\x99s grantee\norganizations, Radio Free Europe/Radio Liberty (RFE/RL), Radio Free Asia (RFA), and Middle East\nTelevision Network, but did hold meetings and gathered relevant documentation to assess each\norganization\xe2\x80\x99s approach to handling IT information security. OIG also did not conduct a review of\nRadio Farda, a joint effort of RFE/RL and Voice of America. Grantees are private, nonprofit\norganizations that own and operate their own IT systems.\n\n        In addition to discussions with BBG management and staff, OIG performed a detailed analysis\nof BBG\xe2\x80\x99s system risk assessments and general support system and major application security plans.\nOIG collected other relevant supporting IT documentation as appropriate. OIG\xe2\x80\x99s IT staff performed\nthis review from April 2004 through the first week of September 2004. Major contributors to this\nreport were Lynn Allen, James Davies, Mary Heard, Anthony Carbone, and Brandon Carter.\nComments or questions about the report may be directed to Mr. Davies at daviesj@state.gov or (703)\n284-2673.\n\n\n\n\n1\n    P.L. 107-347, Title III; 44 U.S.C. 3541 et seq.\n\x0c                                                 Results in Brief\n        OIG\xe2\x80\x99s evaluation of the BBG\xe2\x80\x99s information security program concluded that BBG has made\nprogress in the past year in reorganizing its IT program. As of May 30, 2004, BBG had appointed a\nChief Technology Officer (CTO), a new Chief Information Officer (CIO), and a Chief Information\nSecurity Officer (CISO). Additionally, BBG defined 24 major systems; performed risk assessments;\nand developed general support system and major application system security plans, operating system\nsecurity configuration standards, patch management policies, an incident response plan, and a user IT\nsecurity training program. BBG has developed POA&Ms for 10 of its 24 systems and is working on\ncompleting the remaining 14 POA&Ms as required. The first FY 2004 quarterly report to OMB under\nthe new reorganization structure in July identified 20 information security weaknesses within the 10\ncompleted POA&Ms, of which two weaknesses were corrected.\n\n        Despite this progress, several key areas of information security still require management\nattention. BBG\xe2\x80\x99s CIO has not developed an agency-wide enterprise architecture as required by\nFISMA implementation guidance and the earlier enacted Clinger-Cohen Act.2 Also, BBG\xe2\x80\x99s\ntransmitting stations need headquarters guidance to meet information security requirements.\n\n\n\n\n2\n    Information Technology Management Reform Act of 1996, P.L. 104-106, Div. E; 40 U.S.C. 11101 et seq.\n\x0c                                                  Background\n        The U.S. International Broadcasting Act of 19943 created BBG as a self-governing element\nwithin the former United States Information Agency, which provided limited administrative, technical,\nand management support to BBG. The Foreign Affairs Reform and Restructuring Act of 19984\ngranted BBG independence from United States Information Agency on October 1, 1999. With the\nexception of limited Department of State broadcasting, BBG is responsible for overseeing all U.S.\ngovernment-funded civilian broadcasting, including the operations of IBB, which includes Voice of\nAmerica, and OCB. BBG also oversees three grantee organizations: RFE/RL, RFA, and Middle East\nTelevision Network. Additionally, BBG oversees Radio Sawa, which is to be converted to grantee\nstatus during October 2004, and Radio Farda, a joint effort of RFE/RL and Voice of America that\ncomplements Voice of America\xe2\x80\x99s Persian-language radio and television broadcasts into Iran.\n\n        Information security is an important consideration for any organization that depends on\ninformation systems and information networks to carry out its mission. The dramatic expansion and\nrapid increase in the use of the Internet has changed the way the U.S. government, private sector, and\nmuch of the world communicate and conduct business. However, without proper safeguards, this\nwidespread interconnectivity poses significant risks to the infrastructure it supports and makes it easier\nand relatively inexpensive for individuals and groups to eavesdrop on government operations, obtain\nsensitive information, commit fraud, disrupt operations, or launch attacks against other information\nnetworks and systems. The war on terrorism and recent terrorist attacks underscore the need to\nmaintain information security in order to continue program broadcasting to BBG audiences relying on\nimpartial reports via satellite television and radio. U.S. broadcasting initiatives, which use information\nsystems and information networks to complete their mission, counter the efforts of local newspapers\nand broadcasters that portray the United States as anti-Muslim.\n\n       Faced with continued concerns about information security risks to the federal government,\nCongress passed and the President signed FISMA into law in December 2002. The law provides a\ncomprehensive framework for establishing and ensuring the effectiveness of controls over information\nresources that support federal operations and assets and a mechanism for improving oversight of federal\nagency information security programs. Also, FISMA and OMB implementation guidance specifically:\n\n           \xe2\x80\xa2 \t require agency OIGs to assess the development, implementation, and management of the\n               agency POA&M process;\n           \xe2\x80\xa2 \t require agency development of minimum standards for agency systems;\n           \xe2\x80\xa2 \t introduce a statutory definition for information security;\n           \xe2\x80\xa2 \t define agency IT security responsibilities; and\n           \xe2\x80\xa2 \t broaden the scope of the Clinger-Cohen Act to include federal information systems used or\n               operated by contractors acquired for use on federal contracts.\n\nFISMA and OMB implementation guidance also require that each agency:\n\n           \xe2\x80\xa2 \t develop and maintain a major information systems inventory;\n\n3\n    P.L. 103-236, Title III, Sec. 301 et seq.\n4\n    P.L. 105-277.\n\x0c           \xe2\x80\xa2   develop system configuration requirements;\n           \xe2\x80\xa2   perform annual periodic testing and evaluation of systems;\n           \xe2\x80\xa2   include provisions for continuity of operations in its security program;\n           \xe2\x80\xa2   have a qualified senior agency information security officer report to the CIO; and\n           \xe2\x80\xa2   send annual reports to OMB and various congressional committees.\n\nOverview of BBG\xe2\x80\x99s Information Security Program\n\n        OIG saw in February 2001 that BBG did not have a documented information security program\nor written policies and procedures covering information security. During 2001, BBG\xe2\x80\x99s senior\nmanagement began taking actions to develop its IT security program by appointing a CIO who drafted\na framework for the BBG information security program and started developing security plans to\nprotect BBG\xe2\x80\x99s mission-critical systems. During its 2002 Government Information Security Reform\nAct (GISRA) evaluation,5 OIG noted that BBG was making progress in developing its agency-wide\ninformation security program by completing program-level self-assessments and documenting the\nresults in its quarterly reporting of the agency\xe2\x80\x99s POA&M to OMB. In OIG\xe2\x80\x99s 2003 FISMA evaluation,6\nOIG reported that BBG had made limited progress in complying with the requirements of FISMA.\n\n        OIG closed five of its nine recommendations from the GISRA 2002 and FISMA 2003\nevaluations. BBG continues to work toward closing the remaining recommendations by implementing\nactions designed to develop system security plans and functional-level contingency plans, complete an\nagency-wide information security program plan and timeline for completion of FISMA requirements,\nand provide each functional area with guidance to develop POA&Ms, system-level security plans, and\nself-assessments.\n\n         In April 2004, Congress approved and on May 30, 2004, BBG implemented a reorganization of\nits IT functions into a common program area, Engineering and Technical Services Directorate, which\nincorporated OCB, Voice of America, and IBB activities. BBG assigned the director of Engineering\nand Technical Services Directorate as the CTO and appointed a CISO.\n\n        In FY 2004, to meet the requirements for developing an agency-wide security program, BBG\ndefined 24 major systems under two program areas. Additionally, BBG performed risk assessments,\nand developed general support system and major application system security plans, operating system\nsecurity configuration standards, patch management policies, an incident response plan, and a user IT\nsecurity training program. Also, BBG developed POA&Ms for 10 of its 24 major systems and\nprovided OIG with a program action plan, which addresses BBG\xe2\x80\x99s approach to creating an agency-\nwide continuity of operations plan, system-level risk assessments, security plans, and POA&Ms.\n\n\n\n\n5\n    Information Security Program Evaluation: Broadcasting Board of Governors (IT-A-02-07, Sept. 2002).\n6\n    Review of the Information Security Program at Broadcasting Board of Governors (IT-A-03-14, Sept. 2003).\n\x0c                                         Review Findings\n\nProgress in Developing BBG\xe2\x80\x99s Information Security Program\n        BBG changed its IT organizational structure in FY 2004, establishing and filling senior-level IT\nmanagement positions and consolidating disparate units under one IT authority. Under the revised\nstructure, BBG is making progress in developing its information security program to meet FISMA\nrequirements. OIG supports BBG\xe2\x80\x99s progress in developing its IT program and is not making\nrecommendations where BBG management is taking action or developing plans to correct weaknesses\nand deficiencies. OIG encourages BBG senior management and staff to continue developing its IT\nprogram to meet FISMA requirements and National Institute of Standards and Technology (NIST)\nguidance.\n\nProgress in Meeting FISMA Requirements\n        In the FY 2002 GISRA evaluation, OIG disagreed with BBG\xe2\x80\x99s approach in grouping all\nsystems within five functional areas because this organizational structure did not appear to meet\nGISRA security requirements. During the FISMA evaluation of BBG in FY 2003, OIG also reported\nthat the BBG CIO had neither the time nor the IT qualifications to carry out the CIO\xe2\x80\x99s role and had not\nassigned a senior agency information security officer and information system security officers. In\naddition, during FY 2003, IBB\xe2\x80\x99s director noted several IT operational deficiencies and areas for\nimprovement and hired a contractor to perform an independent review of the BBG IT services,\nmanagement, and operations. The independent review identified BBG\xe2\x80\x99s lack of effective\ncommunication and collaboration among program areas. The independent review recommended a\nrestructuring of BBG\xe2\x80\x99s IT organization.\n\n        In April 2004, Congress approved and on May 30, 2004, BBG implemented a reorganization of\nits IT management structure, responsibilities, and functions, establishing the Engineering and\nTechnical Services Directorate for overall IT program management and for the IT functions in OCB,\nVoice of America, and IBB. BBG named the director of Engineering and Technical Services\nDirectorate as the CTO, with responsibility for all engineering and transmission service functions, and\nadded a new consolidated Information Technology Directorate. BBG appointed a qualified CIO and\nCTO to direct and oversee a broad range of statutory functions, including meeting the FISMA\nrequirements. The CIO reports directly to the Board on all IT matters. Lastly, BBG created and the\nCIO filled the CISO position that reports directly to the CIO and is responsible for overseeing and\nparticipating in planning, assessing, and testing of IT operations and ensuring compliance with\nFISMA.\n\n       Since last year\xe2\x80\x99s FISMA report, the agency has taken steps to meet FISMA and NIST guidance\nfor developing an agency-wide IT security program. (See Appendix A.) Specifically, BBG defined 24\nmajor systems under the Engineering and Technical Services Directorate. OIG found that managers\nwere still unsure of the number of major systems they were responsible for, and the CIO agreed to\nreview the number of major systems before next year\xe2\x80\x99s FISMA evaluation. Additionally, BBG\ndeveloped operating system security configuration management policy for many of its operating\nsystems. Also, BBG developed a generic incident response plan for use at headquarters that it plans to\n\x0cfurther refine for use at its transmitting stations and other field operations. Lastly, BBG\xe2\x80\x99s management\neffectively incorporated user IT security training into its overall IT security program.\n\n       BBG performed adequate risk assessments and developed general support systems and major\napplication system security plans and POA&Ms for 10 of its 24 major systems. However, much of the\ndocumentation BBG developed is not at the individual system level. BBG lacks IT policies and\nprocedures, but has developed a program action plan to address the lack of documentation at\ntransmitting stations, continuity of operations plans, certification and accreditation, training of the IT\nsupport staff, POA&Ms, and vulnerability and penetration testing. BBG management intends to\ncomplete the program action plan by mid-FY 2005.\n\nDeveloping an Enterprise Architecture\n        BBG has not developed an agency-wide IT enterprise architecture or capital planning and\ninvestment control process. In discussions with OIG, the new CIO acknowledged the need for both\nand explained that BBG is determining how it will develop its enterprise architecture. Additionally,\nBBG has made limited progress in tying budget requests to the business case process. The new CIO\nsaid that BBG would address this requirement with its current FY 2006 budget cycle. The enterprise\narchitecture will help ensure that BBG aligns its information system requirements with its business\nprocesses and provides adequate interoperability between systems, desired redundancy of systems, and\nnecessary systems security.\n\n        The enterprise architecture is required by the Clinger-Cohen Act, and it is reinforced by\nFISMA and OMB guidance. Agency CIOs should, at a minimum, develop an enterprise architecture\nthat includes the agency\xe2\x80\x99s business processes, information flows, hardware and software, data\ndescriptions, and the IT infrastructure.\n\n       FISMA, Clinger-Cohen Act, and OMB guidance also make agencies responsible for\ndeveloping and maintaining a capital planning and investment control process. This process requires\nagencies to have two separate and distinct plans. The Information Resources Management Strategic\nPlan, which includes all IT resources of the agency and the agency Strategic Plan required by OMB\nCircular A-11, which ensures that IT decisions are a part of organizational planning, budget decisions,\nand IT procurement.\n\n       Recommendation 1: OIG recommends that the Chairman, Broadcasting Board of Governors\n       direct the Chief Information Officer to develop an enterprise architecture that will help the\n       Broadcasting Board of Governors align its information system requirements with its mission\n       processes and provide adequate interoperability between systems, redundancy of systems, and\n       systems security.\n\n       BBG Response\n\n     BBG concurred with this recommendation and said it has no comments regarding the \n\nrecommendation, other than to note the matters cited have already been identified by the CIO and \n\nBBG IT management officials, who plan to address them more fully in the coming year.\n\n\x0c       OIG Comment\n\n        OIG accepts BBG\xe2\x80\x99s response and considers this recommendation resolved. OIG will consider\nclosing this recommendation when BBG provides documentation showing that it developed an\nenterprise architecture that aligns its information system requirements with its mission processes and\nprovides adequate interoperability between systems, redundancy of systems, and systems security.\n\n       Recommendation 2: OIG recommends that the Chairman, Broadcasting Board of Governors\n       direct the Chief Information Officer to develop a capital planning and investment control\n       process that includes all agency information technology resources and ensures that information\n       technology decisions are included in the agency\xe2\x80\x99s organizational planning, budgeting, and\n       procurement decisions.\n\n       BBG Response\n\n      BBG concurred with this recommendation and said it has no comments regarding the\nrecommendation, other than to note the matters cited have already been identified by the CIO and BBG\nIT management officials, who plan to address them more fully in the coming year.\n\n       OIG Comment\n\n       OIG accepts BBG\xe2\x80\x99s response and considers this recommendation resolved. OIG will consider\nclosing this recommendation when BBG provides documentation showing that it developed a capital\nplanning and investment control process that includes all agency IT resources and ensures that IT\ndecisions are included in the agency\xe2\x80\x99s organizational planning, budgeting, and procurement decisions.\n\n\nProviding Guidance to Transmitting Stations\n        OIG found that transmitting station managers were generally aware of FISMA and, in some\ninstances, had received some information on headquarters security plans, risk assessments, and\nincident response handling. However, at the two transmitting sites OIG reviewed in the Philippines,\nmanagers were not aware of their responsibilities for satisfying information security requirements at\nthe stations. They had started receiving information from headquarters concerning information\nsecurity, FISMA, and the NIST guidance in late May 2004, when BBG implemented its new\norganizational structure. The station managers were notified that they were to be the station FISMA\nprogram managers, but their responsibilities were not spelled out.\n\n        Station managers were aware of basic information security requirements, but lacked\nheadquarters instructions and guidance on adapting generic plans, policies, and procedures for use at\nthe stations and on conducting system self-assessments and developing POA&Ms as required by\nFISMA. Station managers were aware of the organizational IT changes and were looking forward to\nreceiving headquarters guidance to put the necessary information security measures in place.\n\n      In OIG\xe2\x80\x99s opinion, much of the success of BBG\xe2\x80\x99s IT security program depends on station\nmanagers\xe2\x80\x99 having adequate headquarters instructions and guidance to meet their IT security\n\x0crequirements as defined under FISMA. Failure to develop such guidance could adversely affect\nBBG\xe2\x80\x99s agency-wide security program.\n\n       Recommendation 3: OIG recommends that the Chairman, Broadcasting Board of Governors\n       direct the Chief Information Officer to provide station managers with instructions and guidance\n       to adapt information technology security plans, policies, and procedures for use at transmitting\n       stations.\n\n       BBG Response\n\n      BBG concurred with this recommendation and said it has no comments regarding the\nrecommendation, other than to note the matters cited have already been identified by the CIO and BBG\nIT management officials, who plan to address them more fully in the coming year.\n\n       OIG Comment\n\n       OIG accepts BBG\xe2\x80\x99s response and considers this recommendation resolved. OIG will consider\nclosing this recommendation when BBG provides documentation showing it provided instructions and\nguidance to station managers to adapt their IT security plans, policies, and procedures.\n\x0c                                       Recommendations\nRecommendation 1: OIG recommends that the Chairman, Broadcasting Board of Governors direct\nthe Chief Information Officer to develop an enterprise architecture that will help the Broadcasting\nBoard of Governors align its information system requirements with its mission processes and provide\nadequate interoperability between systems, redundancy of systems, and systems security.\n\nRecommendation 2: OIG recommends that the Chairman, Broadcasting Board of Governors direct\nthe Chief Information Officer to develop a capital planning and investment control process that\nincludes all agency information technology resources and ensures that information technology\ndecisions are included in the agency\xe2\x80\x99s organizational planning, budgeting, and procurement decisions.\n\nRecommendation 3: OIG recommends that the Chairman, Broadcasting Board of Governors direct\nthe Chief Information Officer to provide station managers with instructions and guidance to adapt\ninformation technology security plans, policies, and procedures for use at transmitting stations.\n\x0c                                       Abbreviations\nBBG      Broadcasting Board of Governors\n\nCIO      Chief Information Officer\n\nCISO     Chief Information Security Officer\n\nCTO      Chief Technical Officer\n\nFISMA    Federal Information Security Management Act of 2002\n\nGISRA    Government Information Security Reform Act\n\nIBB      International Broadcasting Bureau\n\nIT       Information technology\n\nOCB      Office of Cuba Broadcasting\n\nOMB      Office of Management and Budget\n\nOIG      Office of Inspector General\n\nPOA&M    Plan of action and milestones\n\nRFA      Radio Free Asia\n\nRFE/RL   Radio Free Europe/Radio Liberty\n\x0c                                                                                                                Appendix A\n\n\n\n                                  BBG Progress in Developing a Security Program\n\n                                                               BBG Planned and Completed GISRA/FISMA Work\nFISMA and OMB Implementation Guidance\n                                                   GISRA 2002 Requirements     FISMA 2003 Requirements     FISMA 2004 Requirements\nEnterprise Architecture                                      No                          No                           No\nAgency-wide Information Security Program Plan              Partially                   Partially                   Partiallya\nPeriodic Risk Assessments                                  Partially                   Partially                   Partiallyb\nPolicies and Procedures                                      No                        Partially                   Partiallyc\nSystems Inventory                                            No                        Partially                   Partiallyd\nSystem Security Plans                                      Partially                   Partially                   Partiallye\nPeriodic Testing of Policies and Procedures                  No                          No                           No\nPlan of Action and Milestone (POA&M)                       Partially                   Partially                   Partiallyf\nSecurity Incident Reporting Procedures                       No                        Partially                     Yes\nSenior Agency Information Security Officer                   No                          No                          Yes\nSecurity Awareness Training                                  No                          No                          Yes\nContingency Plans                                          Partially                   Partially                   Partiallyg\nConfiguration Standard & Patch Manag. Policy                 n/a                         n/a                       Partiallyh\nSelf-Assessments (NIST SP 800-26)                          Partially                   Partially                   Partiallyi\nSystem Certification & Accreditation                         No                          No                          Noj\nOMB Executive Summary                                        Yes                         Yes                         Yes\n\n    Legend:Yes indicates BBG completed the requirement.\n           No indicates that the requirement was not started.\n           Partially indicates the task is in process but not completed.\n           n/a indicates requirement did not apply during this period.\n\n\n\n\n    a\n      Pending OMB approval.\n\n    b\n      For FY 2004, BBG reorganized its IT program from four domains to 24 major systems. It, however, has not yet\n\n    completed periodic risk assessments for its 12 transmitting stations. Risk assessments are scheduled for completion in FY \n\n    2005. \n\n    c\n      In FY 2003, BBG hired a contractor to develop policies and procedures for the Office of Computing Services. The \n\n    policies and procedures would later be distributed throughout the agency. However, BBG has not yet distributed them. \n\n    d\n      For FY 2004, BBG defined 24 major systems for FISMA purposes. However, it has not yet developed an enterprise \n\n    architecture that would help it define all of its systems. \n\n    e\n      For FY 2004, BBG has developed system security plans for 13 of its 24 major systems and is working to complete plans \n\n    for the remaining 11. \n\n    f\n      For FY 2004, BBG developed POA&Ms for 10 of its 24 major systems and intends to complete the remaining 14 in FY \n\n    2005. \n\n    g\n      BBG has 2 of 24 major systems with contingency plans. \n\n    h\n      BBG has written configuration standards and patch management policy for 5 of its 10 operating systems. \n\n    i\n      BBG has not yet completed self-assessments for FY 2004. \n\n    j\n      BBG started the system certification and accreditation process for its major systems. System certification and \n\n    accreditation is scheduled for completion in FY 2005. \n\n\x0c                                                                                                            Appendix B\n\n                              Comments From the Broadcasting Board of\n                                           Governors\n\n\n              BROADCAS1lNG BOARD OF GOVERNORS\n              UNITED SfATES OF AMERICA\n\n\n\n\n                                                       September    16~   2004\n\n          Mr. Lynn Allen\n          Assistant Inspector General\n          Department of State\n          2201 C. Street, N.W.\n          Washington, D.C. 20520\n\n          Dear Mr. Allen:\n\n          The Broadcasting Board of Governors appreciates the opportunity to review and\n          comment on your Memorandum Report IT-A-04-07 titled, Review o/the Information\n          Security Program at Broadcasting Board o/Governors, September 2004.\n\n          The BHG is pleased that the Report finds that several of its recent actions designed to\n          strengthen information management operations have contributed to visible progress in the\n          development of information security programs. These actions include a major re\xc2\xad\n          organization of information technology functions and staff in the IBB, a clarification <;md\n          re-emphasis of the role of the Chief Information Officer, and the appointment ofa full\xc2\xad\n          time Chief Information Security Officer. BBG anticipates that, as this new IT\n          organization and management matures, we will make increasingly efficient progress in\n          ensuring the security of our information operations and in complying with the extensive\n          scope of information security regulations. We are pleased to acknowledge the continuing\n          assistance of-the OIG's Information Technology staff in advising the CIO and other IT\n          officials regarding many relevant security matters.\n\n          The BBG concurs with the three recommendations contained in the Report. At this time\n          we have no comments regarding the recommendations, other than to note the matters\n          cited have already been identified by the CIO and IBB Information Technology\n          management officials who plan to address them more fully in the coming year. Also\n          some of the recommendations, those that address required development of IT plans and\n          related compliance documentation, are resource intensive and may require more than a\n          year to accomplish fully. We will of course keep your IT staff informed of progress in\n          accomplishing the recommendations as they occur.\n\n                                                       Sincerely,\n\n\n\n\n                                                       Kenneth Y. Tomlinson\n                                                       Chairman\n\n\n330 INDEPENDENCE AVENUE. SW    ROOM 3360   COHEN BUILDING    WASHINGTON. DC 20237    (202) 401-3736   FAX (202) 401-6605\n\x0c"